b'   ASSESSMENT REPORT\n         12-23\n\n\n\n\nFederal PKI Compliance Report\n     September 18, 2012\n\x0cDate\nSeptember 18, 2012\nTo\nChief Information Officer\nFrom\nInspector General\nSubject\nAssessment Report - Federal PKI Compliance Report\nReport Number 12-23\n\nEnclosed please find the subject final report. The Office of the Inspector General\nadministered a contract with Ernst & Young LLP (E&Y) to provide a compliance\nreport of GPO\xe2\x80\x99s Public Key Infrastructure (PKI) for July 1, 2011 through June 30,\n2012. E&Y conducted their work in accordance with attestation standards\nestablished by the American Institute of Certified Public Accountants.\n\nE&Y concluded that GPO\xe2\x80\x99s assertion is fairly stated in all material respects. E&Y also\nissued a Letter of Supplementary Information, concluding that the GPO Principal\nCertification Authority Certificate Practices Statement conformed in all material\nrespects to the GPO-Certificate Authority and Federal PKI common policies. E&Y is\nresponsible for the attached report and the opinion expressed therein.\n\nWe appreciate the courtesies extended to E&Y and to our audit staff. If you have any\nquestions or comments about this report, please do not hesitate to contact me at\n(202) 512-0039.\n\n\n\n\nMichael A. Raponi\nInspector General\n\nEnclosure\n\ncc:\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\x0cUS Government\nPrinting Office\nReport of Independent Accountants\n\nFederal PKI Compliance Report\n\nFor the Period July 1, 2011 to June 30, 2012\n\x0c                                              Table of Contents\n\nReport of Independent Accountants ............................................................................. 1\n\nManagement Assertion ................................................................................................ 2\n\nLetter of Supplementary Information ........................................................................... 5\n\nSummary of Matters Relating to Project Personnel ....................................................... 7\n\n\n\n\n1208-1385105\n\x0c                                                                    Ernst & Young LLP\n                                                                    Westpark Corporate Center\n                                                                    8484 Westpark Drive\n                                                                    McLean, VA 22102\n                                                                    Tel: + 1 703 747 1000\n                                                                    Fax: +1 703 747 0100\n                                                                    www.ey.com\n\n\n\n\n                          Report of Independent Accountants\n\nWe have examined the assertion, dated August 20, 2012, by the management of the United\nStates Government Printing Office (\xe2\x80\x9cGPO\xe2\x80\x9d), that GPO\xe2\x80\x99s Certification Authority (GPO-CA)\ncomplied with certain requirements of its Certificate Policy (CP), Version 1.3.1 dated\nAugust 17, 2009 and its Certificate Practices Statement (CPS) Version 1.7.1 dated June 3,\n2011, for the period July 1, 2011 to June 30, 2012, as well as the requirements of the\nFederal PKI Authority and all current cross-certification Memorandum of Agreements (MOAs)\nexecuted by the GPO-CA with other entities.\n\nManagement of the GPO is responsible for its compliance with those requirements. Our\nresponsibility is to express an opinion on management\xe2\x80\x99s assertion about the GPO\xe2\x80\x99s\ncompliance based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants and accordingly, included examining, on a\ntest basis, evidence about GPO-CA\xe2\x80\x99s compliance with those requirements and performing\nsuch other procedures as we considered necessary in the circumstances. We believe that our\nexamination provides a reasonable basis for our opinion. Our examination does not provide a\nlegal determination on GPO-CA\xe2\x80\x99s compliance with specific requirements.\n\nIn our opinion, for the period from July 1, 2011 through June 30, 2012, GPO management\xe2\x80\x99s\nassertion, as set forth in the first paragraph, is fairly stated, in all material respects.\n\nThis report is intended solely for the information and use of the GPO and the U.S. Federal PKI\nPolicy Authority and is not intended to be and should not be used by anyone other than those\nspecified parties.\n\n\n\ney                            \xc2\xa0\n\nAugust 20, 2012\xc2\xa0\n\n\n\n\n                                                                                                                    1\n                                                                    A member firm of Ernst & Young Global Limited\n\x0c2\n\x0c3\n\x0c4\n\x0c                                                                   Ernst & Young LLP\n                                                                   Westpark Corporate Center\n                                                                   8484 Westpark Drive\n                                                                   McLean, VA 22102\n                                                                   Tel: + 1 703 747 1000\n                                                                   Fax: +1 703 747 0100\n                                                                   www.ey.com\n\n\n\n\n                                                                   August 20, 2012\n\n\n                        Letter of Supplementary Information\n\nTo the Inspector General of the United States Government Printing Office and the\nManagement of the United States Government Printing Office Certification Authority\n(GPO CA):\n\nThis letter provides supplementary information to the examination performed by\nErnst & Young LLP of the assertion by the management of the GPO-CA regarding the\ncertification authority services it provides at http://www.gpo.gov/projects/pki.htm.\n\nManagement\xe2\x80\x99s assertions were based on the American Institute of Certified Public\nAccountants (AICPA)/Canadian Institute of Chartered Accountants WebTrust for Certification\nAuthorities criteria. GPO-CA\xe2\x80\x99s management was responsible for its assertion. Our\nresponsibility was to express an opinion on management\xe2\x80\x99s assertion based on our\nexamination.\n\nOur examination was conducted in accordance with attestation standards established by\nthe AICPA and, accordingly, included examining, on a test basis, evidence about GPO\xe2\x80\x99s\ncompliance with those requirements and performing such other procedures as we considered\nnecessary in the circumstances. We believe that our examination provides a reasonable basis\nfor our opinion. Our examination does not provide a legal determination on GPO-CA\xe2\x80\x99s\ncompliance with specified requirements.\n\nThe audit period for this examination was from July 1, 2011 through June 30, 2012. Our\nexamination was performed between March 26, 2012 and July 6, 2012.\n\nWe examined the Certificate Policy (CP) for the GPO-CA version 1.3.1, dated August 17,\n2009, and the Certification Practices Statements (CPS) for the GPO Principal Certification\nAuthority (GPO-PCA) version 1.7.1, dated June 3, 2011. Multiple Root CAs were not in\noperation at GPO-CA.\n\nOur examination included, through our testing of management\xe2\x80\x99s assertion, the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of its CPS and the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of all current cross-certification\nMemorandum of Agreements (MOAs) executed by the GPO-CA with other entities. In our\nReport of Independent Accountants dated August 20, 2012, we reported that\nmanagement\xe2\x80\x99s assertion was fairly stated in all material respects.\n\n\n\n\n                                                                                                                   5\n                                                                   A member firm of Ernst & Young Global Limited\n\x0c\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nWe have compared the CPS for the GPO-PCA version 1.7.1, dated June 3, 2011, for\nconformance to the CP for the GPO-CA version 1.3.1, dated August 17, 2009. We found, in\nall material respects, that the GPO-PCA CPS is in conformance with GPO-CA CP.\n\nWe have compared the CPS for the GPO-PCA version 1.7.1, dated June 3, 2011 for\nconformance to the FPKI Common Policy. For this analysis we utilized the Framework\nCertification Practice Statement Evaluation Mapping Matrix, Version 2.8 (September 22,\n2010). We found, in all material respects, that the GPO-PCA CPS is in conformance with the\nrequirements of the FPKI Common Policy.\n\nWe are independent of the GPO for the professional engagement period as required by the\nAICPA Professional Standards.\n\n\n\n\ney                           \xc2\xa0\n\n\n\n\n                                                                                                                  6\n                                                                  A member firm of Ernst & Young Global Limited\n\x0c                                                                    Ernst & Young LLP\n                                                                    Westpark Corporate Center\n                                                                    8484 Westpark Drive\n                                                                    McLean, VA 22102\n                                                                    Tel: + 1 703 747 1000\n                                                                    Fax: +1 703 747 0100\n                                                                    www.ey.com\n\n\n\n\n                                                                   August 20, 2012\n\n\n                  Summary of matters related to project personnel\n                        provided by Ernst & Young LLP\n\nTo the Inspector General of the United States Government Printing Office and the\nManagement of the United States Government Printing Office Certification Authority\n(GPO-CA):\n\nThe GPO Office of Inspector General (OIG) has asked Ernst & Young LLP (EY or we) to provide\ncertain information to assist in its efforts to provide the Federal Public Key Infrastructure\nPolicy Authority (FPKIPA) with information about the individuals who performed work as part\nof the WebTrust for Certification Authority (WTCA) examination services; these services are\nperformed in accordance with relevant American Institute of Certified Public Accountants\n(AICPA) standards. The FPKIPA sets policy governing operation of the U.S. Federal PKI\nInfrastructure, composed of: the Federal Bridge Certification Authority (FBCA); the Federal\nCommon Policy Framework Certification Authority (CPFCA); the Citizen and Commerce Class\nCommon Certification Authority (C4CA) and the E-Governance Certification Authority. EY\nmakes no representation regarding the sufficiency of this information for the purposes for\nwhich this information was requested. That responsibility rests solely with the FPKIPA.\n\nEducational level and professional experience\n\nClient serving personnel (Professionals) EY has provided to the Agency have received a degree\nfrom an accredited college or university (or its equivalent if the individual was educated\noutside of the United States). Certain individuals may also have advanced degrees. The\nmajority of Professionals provided to the Agency are part of EY\xe2\x80\x99s Advisory Services (AS)\nservice line. Recruiting efforts for the AS practice focuses on candidates with information\ntechnology, accounting, finance and other business-related degrees. Hiring activities and\ntypes of Professionals hired into each EY service line, including Assurance and Tax, are\ngenerally the same as similar service lines and personnel of Deloitte & Touche,\nPricewaterhouseCoopers and KPMG (who along with EY, are the Big Four).\n\nThe experience levels of Professionals provided will vary based upon various factors including\nage and length of time the individual has worked since receiving their degree. The amount of\nprofessional experience of Professionals may not solely be related to a person\xe2\x80\x99s employment\nperiod with EY, as EY normally hires a combination of experienced Professionals and\nProfessionals who recently graduated from a college or university. In most cases, the\nexperience level within a rank classification of EY Professionals is generally the same as the\nother Big Four.\n\n\n\n\n                                                                                                                    7\n                                                                    A member firm of Ernst & Young Global Limited\n\x0c\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nMethodologies, policies and procedures\n\nEY Professionals carrying out WTCA examinations are required to comply with policies and\nprocedures within the EY Advisory Global Practice Manual and related methodologies. In those\ncases where we do not perform work directly under the supervision and responsibility of\nAgency personnel as part of an engagement to provide loan staff, and we provide\nmanagement with our findings and recommendations in those areas where we observe\ninternal controls that, in our view, could be improved, the Advisory Global Practice Manual\nrequires the work and any reports or deliverables to be in accordance with the Statement on\nStandards for Consulting Services (CS100) of the AICPA. The initial adoption of, and any\nsubsequent changes in, policies and procedures have been reviewed and approved by EY\xe2\x80\x99s\nProfessional Practice group.\n\nProfessional certification and continuing education\n\nEY encourages its Professionals to obtain a professional certification. In certain service lines,\nobtaining a professional certification is a requirement for promotion. Individuals in AS are\nencouraged to obtain a professional certification, but it is not a requirement of employment or\nadvancement. AS\xe2\x80\x99 more experienced Professionals (which we refer to as managers, senior\nmanagers, executive directors, principals or partners) usually have a professional certification\nand some may have more than one certification. In the AS service line, the most common\ncertifications are Certified Public Accountant (CPA) (or its equivalent in other countries),\nCertified Internal Auditor (CIA) as recognized by the Institute of Internal Auditors, Certified\nInformation Systems Auditor (CISA) as recognized by the Information Systems Audit and\nControl Association, or Certified Management Accountant (CMA) as recognized by the\nInstitute of Management Accountants.\n\nThe continuing professional education requirements of the SEC (Securities and Exchange\nCommission) Practice Section of the AICPA Division for CPA firms are the foundation of EY\xe2\x80\x99s\nprofessional development policy. The policy applies to all professionals and Government\nAccountability Office (GAO) Guidance, as confirmed in consultation with GAO personnel,\nsuggests that staff and those individuals not managing an engagement subject to Government\nAuditing Standards (GAS) may generally satisfy the Government Auditing Standards (Yellow\nBook) 24 hour CPE requirement through completion of the firm\xe2\x80\x99s core training because\nsignificant portions of core training content involve auditing under AICPA standards and AICPA\nstandards are incorporated into GAS. As a subset of the 24 hour GAS requirement, our firm\nhas a governmental audit continuing education policy that applies to individuals acting as\npartner in charge, the independent reviewer, and each individual managing a governmental\naudit or attestation engagement. An individual\xe2\x80\x99s professional development principally occurs\nthrough formal learning and on-the-job training. Participation in formal education programs\n(including self-study programs and meetings organized at least in part for educational\npurposes) is intended to supplement on-the-job training and other learning activities.\n\n\n\n\n                                                                                                                     8\n                                                                     A member firm of Ernst & Young Global Limited\n\x0c\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nParticipation in professional development programs is measured in units of continuing\nprofessional education (CPE) credit hours earned in our educational year. EY\xe2\x80\x99s educational\nyear is July 1 through June 30. The EY policy for compliance is as follows:\n\n\xe2\x80\x93 Commencing with the first full educational year of employment, each professional must\n  obtain at least 20 CPE credit hours each year and at least 120 CPE credit hours during the\n  most recent three-year period.\n\n\xe2\x80\x93 Professionals who were not employed during the entire most recent educational year are\n  not required to earn continuing professional education credits in that year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent educational year, but not\n  during the entire most recent two educational years, are required to have participated in at\n  least 20 hours of qualifying continuing professional education during the most recent\n  educational year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent two educational years, but\n  not during the entire most recent three educational years, are required to have participated\n  in at least 20 hours of qualifying continuing professional education during each of the two\n  most recent educational years.\n\nProfessionals who hold a professional designation or certification other than the CPA\ncertification (e.g., CIA, attorney at law, CISA, CMA) may be subject to continuing education\nrequirements as part of that designation or certification. Completion of courses to meet these\nrequirements may be used to meet the firm\xe2\x80\x99s CPE requirements as long as the courses also\nmeet the requirements of the AICPA\xe2\x80\x99s SEC Practice Section.\n\nExperience Auditing PKI Systems\n\nThe EY executive team assigned to the GPO project has experience in performing audits and\nimplementation of PKI systems and IT security. In addition, certain team members also have\nparticipated in a number of other commercial PKI and WebTrust for CA examinations both as a\nteam member and as a quality reviewer. We have incorporated consultations with other EY\nstaff who represent the firm on the AICPA WebTrust Task Force. EY\xe2\x80\x99s client roster for PKI\nprojects for governmental agencies other than the GPO includes other US federal agencies as\nwell as foreign governmental monetary organizations.\n\nWe are available if you need any additional information or would like to further discuss this\nmemorandum.\n\n\n\n\ney                             \xc2\xa0\n\n\n\n\n                                                                                                                     9\n                                                                     A member firm of Ernst & Young Global Limited\n\x0c  \xc2\xa0\n  \xc2\xa0\n  \xc2\xa0\n  \xc2\xa0\n  \xc2\xa0\n  \xc2\xa0\n\nSummary information for EY executives assigned to the engagement\n                                                                          In compliance with\n                                                                Years of     EY CPE policy\nName                           Rank       Certifications       experience      (Yes/No)\n                                          CA (Switzerland),\nWerner Lippuner         Principal                                 23             Yes\n                                          CISA, CISM\nJames Merrill           Executive Director CPA, CISA              30             Yes\n                                          CISSP, CISA, CISM,\nBruce Hamilton          Senior Manager                            31             Yes\n                                          CPA\nTimothy Iijima, Ph.D.   Senior Manager    PMP                     15             Yes\nStaci Angel             Manager           CISA                     8             Yes\n  \xc2\xa0\n\n\n\n\n                                                                                        10\n\x0c'